Bug 837602

Summary: cups + krb: it falls down into basic authorization instead of negotiate
Product: Red Hat Enterprise Linux 7 Reporter: Petr Sklenar <psklenar>
Component: cupsAssignee: Tim Waugh <twaugh>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Sklenar <psklenar>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: jpopelka, jscotka, marcus.moeller, sandro
Target Milestone: rcKeywords: Patch, Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:47:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Upstream patch none

Description Petr Sklenar 2012-07-04 11:02:16 UTC 
Description of problem:
cups + krb: it falls down into basic authorization instead of negotiate
There is error: 'Authorized using Basic, expected Negotiate!'


Version-Release number of selected component (if applicable):
# rpm -q cups
cups-1.5.3-1.1.el7.x86_64

# rpm -qa | grep krb
krb5-appl-clients-1.0.2-4.el7.x86_64
krb5-appl-servers-1.0.2-4.el7.x86_64
krb5-debuginfo-1.10-6.el7.x86_64
krb5-appl-debuginfo-1.0.2-4.el7.x86_64
krb5-pkinit-1.10-6.el7.x86_64
krb5-libs-1.10-6.el7.x86_64
krb5-server-1.10-6.el7.x86_64
krb5-auth-dialog-3.2.1-3.el7.x86_64
krb5-workstation-1.10-6.el7.x86_64
krb5-devel-1.10-6.el7.x86_64
krb5-server-ldap-1.10-6.el7.x86_64
pam_krb5-2.3.13-2.el7.x86_64
krb5-auth-dialog-debuginfo-3.2.1-3.el7.x86_64



How reproducible:
deterministic

Steps to Reproduce:
1. set up cups + krb5, DefaultAuthType=Negotiate
2. user has valid ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: KerberesiedPetr

Valid starting     Expires            Service principal
07/04/12 10:57:43  07/05/12 10:57:43  krbtgt/EXAMPLE.COM
	renew until 07/04/12 10:57:43


3. user is in the root group, 
# id KerberesiedPetr
uid=1001(KerberesiedPetr) gid=1001(KerberesiedPetr) groups=1001(KerberesiedPetr),0(root)

4. lpadmin -p $TPRN1 -v file:/dev/null -E -m $ML
  
Actual results:
lpadmin expect password for root on localhost?  

cups/error_log:

D [04/Jul/2012:10:48:10 -0400] cupsdReadClient: 19 1.1 CUPS-Add-Modify-Printer 1
D [04/Jul/2012:10:48:10 -0400] CUPS-Add-Modify-Printer ipp://localhost:631/printers/testprinter1
D [04/Jul/2012:10:48:10 -0400] cupsdIsAuthorized: username="root"
E [04/Jul/2012:10:48:10 -0400] Authorized using Basic, expected Negotiate!
D [04/Jul/2012:10:48:10 -0400] Returning HTTP Unauthorized for CUPS-Add-Modify-Printer (ipp://localhost:631/printers/testprinter1) from localhost


Expected results:
no password is expected


Additional info:
rhel6 works well with exactly same settings
Comment 4 Tim Waugh 2012-07-17 16:50:33 UTC 
This seems to be due to a check in the server end about whether this is a local connection:

scheduler/client.c:2719 (cupsdSendHeader):

#ifdef HAVE_GSSAPI
    else if (auth_type == CUPSD_AUTH_NEGOTIATE)
    {
#  ifdef AF_LOCAL
      if (_httpAddrFamily(con->http.hostaddr) == AF_LOCAL)
        strlcpy(auth_str, "Basic realm=\"CUPS\"", sizeof(auth_str));
      else
#  endif /* AF_LOCAL */
      strlcpy(auth_str, "Negotiate", sizeof(auth_str));
    }
#endif /* HAVE_GSSAPI */

Adjusting the lpadmin command to add "-h $IP_ADDR" with the external IP address of the machine allows it to succeed.

This seems to have been added as part of upstream revision 9732 on trunk:

commit 8e48ce8bd6acc030f9e913cd80ed31e7465d7ef1
Author: mike <mike@7a7537e8-13f0-0310-91df-b6672ffda945>
Date:   Sun May 1 19:55:04 2011 +0000

    Use GSS framework, when available, and support acquisition of Kerberos creds
    when the underlying libraries support it (may add others as time permits).
    
    
    git-svn-id: http://svn.easysw.com/public/cups/trunk@9732 7a7537e8-13f0-0310-91df-b6672ffda945
Comment 5 Tim Waugh 2012-07-18 12:01:10 UTC 
Reported upstream.
Comment 6 Tim Waugh 2012-08-03 11:17:05 UTC 
*** Bug 842782 has been marked as a duplicate of this bug. ***
Comment 9 Tim Waugh 2012-12-18 10:57:33 UTC 
Created attachment 665435 [details]
Upstream patch
Comment 10 Jiri Popelka 2012-12-18 14:59:24 UTC 
Upstream patch has been applied in cups-1.5.4-22.
Comment 11 Marcus Moeller 2013-10-28 08:13:48 UTC 
@Jiri has this been also made available to Fedora?
Comment 12 Tim Waugh 2013-10-28 12:27:39 UTC 
Looks like it:

commit 9db046f6c4f1b7f8afc79cec03780144c9244631
Author: Jiri Popelka <jpopelka>
Date:   Tue Dec 18 15:32:27 2012 +0100

    backport fixes for STR #4125, STR #4140, STR #4187, STR #4205, STR #4232
Comment 15 Ludek Smid 2014-06-13 11:47:21 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.